Monday, 6 November 2017

I've just configured Windows 10 AutoPilot in my test Azure tenant and enrolled my first devices. It's really easy and the experience has been mostly very positive. I had one issue which actually turned out not to be a technical issue but I'll get to that a little later on. What is Windows AutoPilot? The official Microsoft definition is as follows:"Windows AutoPilot is a collection of technologies used to setup and pre-configure new devices, getting them ready for productive use".It's actually the Microsoft equivalent of Apple's Device Enrollment Program (DEP) for those of you familiar with managing Apple devices in the corporate world. The idea is that a user can take delivery of their new Windows 10 device and join it to the organizations Azure Active Directory in a matter of minutes without having to complete all the annoying setup screens. Also the user does not have to end up being a local administrator on the device, as used to be the case with manual Azure AD Join (unless you want the user to be a local administrator of course, which is doubtful).This is all part of the Microsoft modern management story. Traditional management typically leverages
technologies such as Active Directory, Group Policy and ConfigMgr to provide
deep manageability and security. Make no mistake, this is set to continue. Modern
management is a more simplified approach using cloud-based solutions like
Microsoft Enterprise Mobility + Security (EMS), which includes Azure AD Premium
and Intune. It’s complemented by cloud services like Azure Information Protection,
Office 365 and Microsoft Store for Business. Windows 10 offers the flexibility to
respond to these changing requirements, and can easily be deployed in a mixed
environment in areas like provisioning, authentication and configuration
management.At a recent event I was asked about modern management and the scenarios in which it was useful. I didn't give a particularly useful answer at the time but I've had time to reflect on the question since. In my opinion modern management is useful when you don't particularly care too much about the device. It's all about the data and access to corporate resources. For remote users that primarily use Office 365 the modern management scenario is ideal. Access to corporate resources is managed and controlled by Azure AD and Intune conditional access and data is protected by Azure Information Protection policies. Don't get me wrong, we can still manage the devices to a high standard using Windows 10 Configuration Service Providers (CSPs) although these are a subset of what can be managed using traditional group policy objects (GPOs).

So back to Windows AutoPilot, the steps to configure the solution are as follows:

Prerequisites

Hardware ID

Add devices to tenant

Assign AutoPilot deployment profile

Windows 10 configuration via CSP (optional)

User turns on device and signs in

Step 1 - Prerequisites

Devices must be pre-installed with Windows 10, version 1703 or later

Devices must have access to the internet

Azure AD Premium P1 or P2 licenses

Microsoft Intune or other MDM services to manage your devices

Azure AD configured for Intune autoenrollment (note that Windows Autopilot is not supported on Intune hybrid at this time, although it "may" work).

Devices must be registered to the organization (we'll do this in step 3)

Step 2 - Hardware IDThis step involves harvesting hardware information from your Windows 10 devices and uploading this information to your tenant in advance.This hardware information includes the device serial number, the Windows Product ID and the hardware hash in CSV format. As usual there are a number of ways to gather the information and upload. Note: I've gathered the hardware information manually from a VM in my lab for the purposes of demo. In reality, from early 2018 we won't have to do this in production. The main hardware vendors have signed up (or will sign up) to participate in the Windows AutoPilot program. This means that they will provide this CSV for each device that they ship directly to users. There are also plans to allow the vendors to upload this information to your tenant on your behalf. Watch this space.I've chosen to create the CSV file using a PowerShell script provided by Microsoft. See here for a description of the script. It's in the PowerShell gallery so you don't have to download and install it. It installs automatically when you execute it from the PoSH console (run as administrator).Execute the script: Install-Script
-Name Get-WindowsAutoPilotInfo

Note: Even though we can create AutoPilot deployment profiles in the Intune portal we cannot add devices at this time. If we want to use Intune profiles we must add devices to the MSfB and sync to Intune.

Select "Manage".

Select "Devices". Click "Add devices". Navigate to the CSV file and add the device to a deployment group when prompted.

Device is added to your tenant.Step 4 - Assign AutoPilot deployment profile
There are two options for this. We can create deployments profiles in either the Microsoft Store for Business or the Intune Portal (in Azure).

Step 5 - Windows 10 configuration via CSP (optional)
This isn't really part of Windows AutoPilot but is very much part of the modern management story so is worth a mention. We can configure some Intune plicies using Windows 10 Configuration Service Providers and these will apply to the devices once the are joined to Azure AD and enrolled in Intune.

It's very straightforward to create and deploy a CSP policy. Read more about CSPs here.

In the Intune Portal, navigate to Device configuration.

Choose Create Profile.

I want to disable Bluetooth on my devices. Enter a name and choose the platform and profile type. Select Configure.

I have two VMs for testing. The one of the left is the one whose hardware details have been uploaded to my tenant and assigned a Windows AutoPilot profile (it has been reset). The one on the left is just a regular Windows 10 v1709 VM.

Select your region.

Select your keyboard layout.

Do you need a second keyboard layout? So far so good.

Now the VMs connect to the internet for updates. The VMs have an Ethernet connection. Otherwise I would've been prompted to join a wireless network. Remember that an internet connection is required.

....and here we go. The Windows AutoPilot deployment profile has been applied to the VM on the left.

I spent quite a while trying to figure out how to get my tenant name to appear as shown above. I kept getting a "Sign in with Microsoft" screen and as a result thought that the autopilot profile did not apply. All the Microsoft documentation and demos showed this and it turns out that this is misleading. Damion, Mayank and Maciek from Microsoft helped me to understand that this customization is not actually part of the autopilot profile.

I figured out that this comes from the Company Branding feature of Azure.

You don't really have to configure it very much. The status just can't be "Not configured".

MFA kicks in (note that the user is walked through the MFA setup process if they haven't already completed).

Set up Windows Hello PIN......

....and we're done. Now let's examine the two VMs.

Both are joined to Azure AD but I don't have administrator permissions on the autopilot VM.

This is verified by looking at the local administrators group.

(Note that if the user is a global administrator on the tenant they will be a local administrator on the device, regardless of the AutoPilot settings).

See my optional CSP configuration. Bluetooth is disabled on both devices with no possibility of turning it on. I've shown another computer with Bluetooth enabled for comparison.

Summary

Overall this was a brilliant experience. Windows AutoPilot is a dead cool technology and still a work in progress. However there are a couple of things requiring a little more work.

We're still not able to add devices directly into Intune. We have to add to MSfB and sync to Intune.

You cannot remove devices in Intune. The facility to remove devices is available in MSfB but I had some difficulty and got the error message "Try that again. Some of the devices weren't removed".

Devices cannot be renamed in MSfB or Intune.

The Microsoft documentation is very misleading and I wasted a lot of time as my tenant name didn't appear on the sign-in screen. It turns out that this was to be configured using Company Branding, not AutoPilot. I would like to see Company Branding enabled with default settings as soon as an autopilot deployment profile was created.

Sunday, 1 October 2017

Comanagement has arrived. It was announced by Microsoft last week at Ignite so we can finally talk about it publicly. This is one of the most important features to be delivered by Microsoft in recent years and will eventually cause a shift in the way that enterprises manage their devices. It is inevitable.So, what is comanagement?Quite simply, it is the ability to manage Windows 10 devices with ConfigMgr and Intune AT THE SAME TIME.Why is comanagement important?The majority of organizations use Active Directory (with GPO) and ConfgMgr to manage their on premise devices. The Microsoft vision is to manage Windows 10 devices using modern management with Intune. It is expected that comanagement will create a bridge between the two to simplify and reduce the risk of transition to modern management. The expectation is that organizations will transition in a phased manner as they move workloads one at a time (e.g. device compliance).Some additional jargon:Modern management: managing Windows 10 devices using Intune MDM and Configuration Service Providers (CSPs).Intune Management Extensions: codename Sidecar, these will add to Intune's MDM capability. The first extensions expected will allow administrators to run PowerShell scripts on managed devices and also manage Win32 and .exe applications.Microsoft 365 Powered devices: these are Windows 10 devices running Office 365 Proplus which are managed by Enterprise Mobility + Security. This is a complete integrated solution and is the future direction for Microsoft.Windows 10 Autopilot: could replace traditional imaging methods. Users will be able to self-provision their devices simply by authenticating with Azure Active Directory. Intune policies will then be automatically deployed to the devices during provisioning.Note that comanagement is only supported for organizations that use standalone Intune. Therefore, to avail of this feature, organizations that have a ConfigMgr hybrid must first migrate to standalone Intune. I was very curious to test how much was involved in this.Migrating from ConfigMgr hybrid to standalone IntuneStep 1 - import ConfigMgr data to Intune.The Data Importer Tool is an awesome tool that collects data about the objects in your ConfigMgr hierarchy (1610 or later). It then allows you to import your selected objects to Microsoft Intune.

Configuration items

Certificate profiles

Email profiles

VPN profiles

Wi-Fi profiles

Compliance policies

Apps

Deployments

Download the tool (Microsoft Intune Data Importer.exe, it's less than 5MB) and extract the files.

The first task is to give the Data Importer tool permission in Azure to access resources.

Execute "intunedataimporter.exe
-GlobalConsent"

Enter your Global Admin credentials.

Accept the resources that the tool needs access to.

Now launch the tool (intunedataimporter.exe). Start the process.

Review the information that you should be aware of when using the tool.

Enter the ConfigMgr details.

The ConfigMgr objects data is collected.

There are some errors. It will not be possible to import some objects. You can choose to fix the issues or ignore these objects.

This is a summary of the objects to be imported.

Sign in to Intune.

The objects are imported into Intune.Step 2 - prepare Intune for user migration

This includes-

fixing issues discovered during the data collection and import

verify the imported objects

assigning Intune licenses to migrated users

verifying Intune user groups

configuring RBAC

configuring Exchange Connectors (if required)

Step 3 - change MDM authority to Intune standalone

(Note: before you change the MDM authority for the tenant you should test the process for a subset of users. Follow this processto exclude users from the ConfigMgr collection for testing).

The subscription has been removed and the MDM Authority has been changed to Intune. Note that it can take up to eight hours for a device to connect to the service after you change to the new MDM authority.